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Abstract 



We introduce a game-theoretic framework to study the hypothesis testing problem, in the presence 
of an adversary aiming at preventing a correct decision. Specifically, the paper considers a scenario in 



which an analyst has to decide whether a test sequence has been drawn according to a probability mass 
function (pmf) Px or not. In turn, the goal of the adversary is to take a sequence generated according 
to a different pmf and modify it in such a way to induce a decision error. Px is known only through 
one or more training sequences. We derive the asymptotic equilibrium of the game under the assumption 
c/3 ■ that the analyst relies only on first order statistics of the test sequence, and compute the asymptotic 

o 

payoff of the game when the length of the test sequence tends to infinity. We introduce the concept 
of indistinguishability region, as the set of pmf's that can not be distinguished reliably from Px in 
£Nl . the presence of attacks. Two different scenarios are considered: in the first one the analyst and the 



adversary share the same training sequence, in the second scenario, they rely on independent sequences. 
The obtained results are compared to a version of the game in which the pmf Px is perfectly known to 



(--») \ the analyst and the adversary. 
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I. Introduction 

Hpothesis testing is a widely studied topic with applications in virtually all technological and scientific 
fields. In its most basic form, an analyst is asked to decide which among two hypotheses, usually referred 
to as null hypothesis (or Hq) and alternative hypothesis (H\), is true based on a set of observables, say 
x n = {x\, X2 ■ ■ ■ x n ). Several versions of the problem are obtained according to the knowledge that the 
analyst has on the probability distribution of the observables when one of the two hypotheses holds. In 
some cases, the probability mass function (pmf£| conditioned to the two hypotheses is known, in other 
cases only the pmf under Hq is known, in yet other cases only a number of sample observables (hereafter 
referred to as training sequences) obtained under Hq and Hi are available. 

Due to its importance, hypothesis testing has been extensively studied and a solid theoretical framework 
has been built permitting to analyze and understand its many facets. In the last years, though, many 
applications have emerged in which hypothesis testing is given a new twist, due to the presence of an 
adversary aiming at making the test fail. In multimedia forensics [U, for instance, a forensic analyst 
may be asked to decide whether an image has been acquired by a given camera, notwithstanding the 
presence of an adversary aiming at deleting the acquisition traces left by the camera. In the same way, 
the analyst may be asked to decide whether a signal has undergone a certain processing or not, by taking 
into account the possibility that someone deliberately tried to delete the traces left during the processing 
phase. 

Another popular example comes from spam filtering [0, wherein an anti-spam filter is presented with 
a test e-mail and must decide whether the e-mail contains a genuine or a spam message. It is obvious 
that such a test can not neglect the presence of an adversary trying to shape the message in such a way 
to fool the filter. 

Biometric authentication provides a further example. In this case the authentication system must decide 

'Since in the rest of the paper we will assume that the elements of x n belong to a finite alphabet, we prefer to use the term 
probability mass function instead of probability density function, even if at this stage we do not need to restrict our attention to 
the discrete case. 
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whether a biometric template belongs to a certain individual, despite the opposite efforts of an attacker 
aiming at building a fake template that passes the authentication test ll3l. fill. 

Other examples include: watermarking, where the detector is asked to decide whether a document 
contains a given watermark or not |2J, steganalysis, in which the steganalyzer has to distinguish between 
cover and stego images J6), network intrusion detection, wherein anomalous traffic conditions must be 
distinguished from normal ones [7j, reputation systems |]8], for which it is essential to distinguish between 
genuine and malevolent scores, anomaly detection, cognitive radio |9), and many others. In all these fields, 
the system designer has to take into account the presence of one or more adversaries explicitly aiming 
at system failure. 

In the framework depicted above, the goal of this paper is to move a first step towards the construction of 
a general theoretical framework to analyze the binary hypothesis testing problem by taking into account 
the presence of an adversary aiming at impeding a correct decision. More specifically, we introduce 
and analyze an adversarial version of the Neyman-Pearson setup in which an analyst and an adversary, 
hereafter referred to as the Defender (D) and the Attacker (A), face each other in a rigorously defined 
context. As in the classical Neyman-Pearson scenario, we assume that the type-I error probability (i.e., 
the probability of rejecting Hq when Hq holds) is in some way fixed and that D and A are interested 
in minimizing, res. maximizing, the type-II error probability (i.e. the probability that the analyst accepts 
Hq when H\ holds). In order to do so, we adopt a game-theoretic framework, in which the defender and 
the attacker have opposite goals and operate by satisfying a different set of requirements, all together 
specifying the nature of the game. The final goal will be the derivation of the optimum strategies for 
the defender and the attacker in terms of game equilibrium points, and the study of the achievable 
performance at the equilibrium. 

A. Prior art 

The use of game theory to model the impact that the presence of an adversary has on (binary) hypothesis 
testing is not an absolute novelty. In many security oriented fields in which hypothesis testing plays a 
central role, game theory has been advocated to avoid entering a cat and mouse loop in which researchers 
alternatively play the role of the defender and the attacker, and continuously develop new countermeasures, 
each time by attacking a specific algorithm or strategy. 

By referring to multimedia forensics, in iTTOl Bohme and Kirchner cast the forensic problem in a 
hypothesis testing framework. Several versions of the problem are defined according to the particular 
hypothesis being tested, including distinction between natural and computer generated images, ma- 
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nipulation detection, source identification. Counter-forensics is then defined as a way to degrade the 
performance of the hypothesis test envisaged by the analyst. By relying on arguments similar to those 
used in steganography and steganalysis Ifm , Bohme and Kirchner argue that the divergence between the 
probability density functions of the observed signals after the application of the counter-forensic attack 
is a proper way to measure the effectiveness of the attack. Noticeably, such measure does not depend 
on the particular investigation technique adopted by the analyst. Even if Bohme and Kirchner do not 
explicitly use a game-theoretic formulation, their attempt to decouple the counter-attack from a specific 
forensic strategy can be seen as a first - implicit - step towards the definition of the equilibrium point of a 
general multimedia forensics game. Another work loosely related to the present paper is lfT2l . where the 
authors introduce a game-theoretic framework to evaluate the effectiveness of a given attacking strategy 
and derive the optimum countermeasures. As opposed to our analysis, in |[T2l the attacker's strategy 
is fixed and the game-theoretic framework is used only to determine the optimum parameters of the 
forensic analysis and the attack, thus failing to provide a complete characterization of the game between 
the attacker and the analyst. 

Game theory and information theory have been used in watermarking to model the interplay be- 
tween the watermaker and the attacker. In |[T3l . lfT4l . IT731 . the game is played between the watermark 
embedder/decoder and an attacker who attempts to degrade the embedded message by modifying the 
watermarked signal, e.g. by adding some noise. The payoff of the game is usually the capacity of the 
watermark channel. A problem that is closer to the one addressed in this paper is the one considered in 
|[T6*1 , where the jointly optimum embedding and detection strategies for a detector with limited resources 
are derived. Indeed, the approach used in the present paper is reminiscent of the analysis carried out in 
lfT6l . given that in both cases the analysis focuses on an asymptotic version of the problem in which the 
resources available to the defender are limited. As opposed to the present work, however, the analysis 
in lfl6l is carried out under the assumption that no attack is present or that the attack channel is fixed, 
and the resort to a min-max optimization is due only to the necessity of finding the jointly optimum 
watermark embedding and detection strategies. 

The work that is most closely related to the present paper is ifTTl . where the source identification 
game with known statistics is introduced and the corresponding asymptotic Nash equilibrium derived. As 
a matter of fact, even if IfTTl restricts the analysis to multimedia forensics, the framework adopted to model 
the game between the forensic analyst and the adversary is very general and can also be used to model 
a binary hypothesis testing problem in which the statistics of the observables under the null hypothesis 
are perfectly known to the defender and the attacker. In order to avoid replicating the analysis carried 
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out in ifTTfl . by incorporating only the few modifications needed to extend it from multimedia forensics 
to general hypothesis testing, here we focus on a different version of the game in which the statistics 
of the observables under Hq are known only through training data. This represents a major deviation 
from IfTTl . requiring a thorough reformulation of the problem and a new derivation of the equilibrium 
point. In order to make the current paper self-contained and allow the reader to better appreciate the 
difference between the results obtained in [17] and the new findings provided here, we summarize the 
main definitions and results of lUTl in Section JII] 

B. Contribution 

With the above ideas in mind, in this paper we address the following problem, hereafter referred to as 
the binary hypothesis testing problem with training data (HT tr ). Let X ~ Px be a discrete memoryless 
(DM) source ruling the emission of observables under Hq, and let x n be a test sequence, i.e., a sequence 
of observables. The goal of the defender is to accept or reject hypothesis Hq, that is, to decide whether 
x n was drawn from X or noo In doing so, D must ensure that the type-I error probability does not 
exceed a predefined value. Let then Y ~ Py be a second DM source and let y n = (2/1,2/2 • • -Vn) be a 
sequence generated by Y. It is the aim of A to transform y n into a new sequence z n in such a way that 
when presented with z n the defender accepts Hq. We also impose that A satisfies a distortion constraint 
requiring that the distance between y n and z n is below a certain threshold. As opposed to lUTl . D and A 
do not know the exact statistics of Px and Py, since all they know is a training sequence drawn from 
X. 

Given the above scenario, the goal of this paper is to propose a rigorous game-theoretic framework to 
cast the HT tr problem in, and derive the asymptotic equilibrium point of the game under a simplifying 
hypothesis about the kind of analysis which D can carry out. We will do so for two different versions 
of the game stemming from different assumptions about the relationship between the training sequence 
available to the defender and that available to the attacker. In a first case, we will assume that A and 
D share the same training sequence, while in the second part of the paper we will assume that the two 
sequences are generated independently from each other. The main results proven in the paper can be 
summarized as follows: 

1) We show that under the limited resources assumptions |[T6l . the HT tr game admits an asymptotic 

'In order to keep the notation as light as possible, we use the symbol x n to indicate the test sequence even if, in principle, 
it is not known whether x n originated from X or not. 
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equilibrium. We also prove that the asymptotic equilibrium point is the only rationalizable equilib- 
rium of the game |[T8l . |[T9l . Such an equilibrium is much stronger than the usual notion of Nash 
equilibrium, since the strategies corresponding to such an equilibrium are the only ones that two 
rationale players may adopt (Theorem [3] Section [V); 

2) We compute the payoff at the equilibrium for the defender and the attacker, and introduce the notion 
of indistinguishability region, defined as the region with the Py's that can not be distinguished 
reliably (i.e. with a vanishing type II error probability) from Px (Theorem 01 Section rvTT>; 

3) We compare the achievable payoff of the HT tr game with the results obtained in ifTTl , where D 
and A have a perfect knowledge of Px, showing that the HT tr game is more favorable to the 
attacker with respect to the situation analyzed in IfTTl (Theorem [5j Section IVD); 

4) We show that the indistinguishability region is the same when D and A share the same training 
sequence and when they rely on independent sequences (Theorem [6l Section I Vill i. 

With regard to 1), the asymptotic equilibrium point when D and A rely on the same training sequence was 
already derived in |[20l , without realizing that the equilibrium is indeed stronger than a Nash equilibrium. 
The case of independent training sequences has never been studied before. The methodology used to derive 
the equilibrium point goes along the same lines used in |[T6l to derive the jointly optimum watermark 
embedding and detection strategy. Finally, the optimum strategy of the defender can be paralleled to 
the results obtained in 11211 . even if in a completely different context. As to point 2), our results are 
closely related to Sanov's theorem C2l . 11231 , however, to the best of our knowledge, their derivation in 
a game-theoretic context is not trivial and represents an original contribution of the present paper. 

The rest of this work is organized as follows. In Section |Il] we introduce the notation and definitions 
used throughout the paper. In Section JIIJ we recall the main results proved in iTTTl by casting them into 
a hypothesis testing framework. Such results represent the baseline against which we will compare the 
new results obtained in this paper. In Section [TV] we formally introduce the HT tr game and lay the 
basis for the analysis carried out in the subsequent sections. Section [V] is devoted to the derivation of the 
equilibrium point of the HT tr game when A and D share the same training sequence. The payoff at the 
equilibrium is analyzed in Section EH where we also introduce the notion of indistinguishability region. 
The case of independent training sequences is analyzed in Section IVIIj The paper ends in Section IVIII1 
with some conclusions and hints for future research. Some of the most technical proofs are given in the 
the appendix, so to avoid interrupting the main flow of ideas. 
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II. Notation and definitions 

In the rest of this work we will use capital letters to indicate discrete memoryless sources (e.g. X). 
Sequences of length n drawn from a source will be indicated with the corresponding lowercase letters 
(e.g. x n ). In the same way, we will indicate with Xi, i = l,n the i— th element of a sequence x n . The 
alphabet of an information source will be indicated by the corresponding calligraphic capital letter (e.g. 
X). Calligraphic letters will also be used to indicate classes of information sources (C). The pmf of a 
discrete memoryless source X will be denoted by Px- The same notation will be used to indicate the 
probability measure ruling the emission of sequences from a source X, so we will use the expressions 
Px(a) and Px(x n ) to indicate, respectively, the probability of symbol a G X and the probability that 
the source X emits the sequence x n , the exact meaning of Px being always clearly recoverable from 
the context wherein it is used. Given an event A (be it a subset of X or X n ), we will use the notation 
Px{A) to indicate the probability of the event A under the probability measure Px- 

Our analysis relies extensively on the concepts of type and type class defined as follows (see E2l and 
|[24l for more details). Let x n be a sequence with elements belonging to an alphabet X. The type P x n 
of x n is the empirical pmf induced by the sequence x n , i.e. Va G X , P x n (a) = - Y17=l ^( x *> a )> where 
5(xi,a) = 1 if Xi = a and zero otherwise. In the following we indicate with V n the set of types with 
denominator n, i.e. the set of types induced by sequences of length n. Given P G V n , we indicate with 
T(P) the type class of P, i.e. the set of all the sequences in X n having type P. 

The Kullback-Leibler (KL) divergence between two distributions P and Q on the same finite alphabet 
X is defined as: 

P( J P||Q) = ^P(a)log^, (1) 

where, as usual, OlogO = and plogp/0 = oo if p > 0. 

A. Hypothesis testing framework 

Given a sequence x n G X n , as a result of the test, X n is partitioned into two complementary regions A 
and A c , such that for x n G A the defender decides in favor of Hq, while for x n G A c Hi is preferred. We 
say that a Type-I error occurs if Hi is chosen even if Ho holds. In the same way, we say that a Type-II 
error occurs when Hi holds but Hq is chosen. In the following, we will refer to Type-I errors as false 
positive errors (or false alarms) and to Type-II as false negative (or missed detection), and will indicate 
the probability of such events as Pf p and Pj n respectively. The motivation for such a terminology comes 
from applications in which Hq is seen as a standard situation and its rejection in favor of Hi raises an 
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alarm since something unusual happened. It goes without saying that our derivation remains valid even 
in different scenarios where the false positive and false negative terms may not be appropriate. In our 
analysis we are mainly interested in the asymptotic behavior of Pf p and Pf n when n tends to infinity. 
In particular we define the false positive (A) and false negative (e) error exponents as follows: 

A=lim-^^; £ =lim-^^, (2) 

n— >oo 77, n— >oo 77, 

where the log's are taken in base 2. 

B. Game Theory 

As we said, the goal of this paper is to model the binary hypothesis testing problem in an adversarial 
setting as a 2-player game. More formally, a 2-player game is defined as a 4-uple Gr(«Si, 62,1*1, 1*2). 
where S\ = {s\,\ . . . Si,m} an d 62 — {•S2,i • • • S2,n 2 } are the set of strategies (actions) the first and the 
second player can choose from, and ui{s\^, S2j), I = 1,2, is the payoff of the game for player I, when 
the first player chooses the strategy s\ t i and the second chooses S2j. A pair of strategies (si t i,S2j) is 
called a profile. In a zero-sum competitive game, the two payoff functions are strictly related to each 
other since for any profile we have ui(si t i, S2,j) + ^(si.i, S2,j) = 0. In other words, the win of a player 
is equal to the loss of the other. In the particular case of a zero-sum game, then, only one payoff function 
needs to be defined. Without loss of generality we can specify the payoff of the first player (generally 
indicated by u), with the understanding that the payoff of the second player 7/2 is equal to —u. In the 
most common formulation, the sets «Si, £2 an d the payoff functions are assumed to be known to both 
players. In addition, it is assumed that the players choose their strategies before starting the game so that 
they have no hints about the strategy actually chosen by the other player (strategic game). 

A common goal in game theory is to determine the existence of equilibrium points, i.e. profiles 
that, in some sense represent a satisfactory choice for both players. While there are many definitions of 
equilibrium, the most famous and commonly adopted is the one due by Nash ||2"5l , ||26l . For the particular 
case of a 2-player game, a profile (si^*, S2j*) is a Nash equilibrium if: 

ui((si,i* , s 2> j*)) > ui((si,j,s 2 j.)) Vsy G Si 

U2((si,i- , S 2 J')) > U 2 ((si ti * , S2,j)) Vs 2 ,j G <S 2 , 

where for a zero-sum game U2 = — U\. In practice, a profile is a Nash equilibrium if each player does 
not have any interest in changing its choice assuming the other does not change its strategy. 

Despite its popularity, the practical meaning of Nash equilibrium points is difficult to grasp, since 
there is no guarantee that the players will end up playing at the equilibrium. This is particularly evident 
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when more than one Nash equilibrium exists. A definition of game equilibrium with a more practical 
meaning can be obtained by relying on the notion of dominant and dominated strategies. A strategy is 
said to be strictly dominant for one player if it is the best strategy for the player, no matter how the 
other player may play. In a similar way, we say that a strategy s^i is strictly dominated by strategy 
sij, if the payoff achieved by player I choosing si { is always lower than that obtained by playing sij 
regardless of the choice made by the other player. The recursive elimination of dominated strategies is 
one common technique for solving games. In the first step, all the dominated strategies are removed from 
the set of available strategies, since no rational player would ever play them. In this way a new smaller 
game is obtained. At this point, some strategies, that were not dominated before, may be dominated in 
the remaining game, and hence are eliminated. The process goes on until no dominated strategy exists 
for any player. A rationalizable equilibrium is any profile which survives the iterated elimination of 
dominated strategies. If at the end of the process only one profile is left, the remaining profile is said 
to be the only rationalizable equilibrium of the game, which is also the only Nash equilibrium point. 
The corresponding strategies are the only rational choice for the two players and we say that the game 
is dominance solvable. Dominance solvable games are easy to analyze since, under the assumption of 
rational players, we can anticipate that the players will choose the strategies corresponding to the unique 
rationalizable equilibrium ||27l . 

III. Binary hypothesis testing game 

WITH KNOWN SOURCES 

In this section, we use the framework introduced in ifPTI to define a version of the hypothesis testing 
game in which the pmf 's ruling the emission of sequences from X and Y are known to both D and A. 
We also summarize the main results proven in luTI , so to ease the comparison with the new results that 
will be proven in the rest of the paper. 

Let X and Y be two DM sources with the same alphabet X. Let y n be a sequence drawn from Y and 
let z n be a modified version of y n produced by A in the attempt to deceive D. The binary hypothesis 
testing game under the known source assumption {HT^ S ) is defined as follows. 

Definition 1. The HT^^SdiSa^u) game is a zero-sum, strategic, game played by D and A, defined by 
the following strategies and payoff. 

• The set of strategies D can choose from is the set of acceptance regions Afar which the false positive 
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probability is below a certain threshold: 

S D = {k: P x (x n ik)< P fp }. (4) 

• The set of strategies A can choose from is formed by all the functions that map a sequence y n € X n 
into a new sequence z n G X n subject to a distortion constraint: 

S A = {f(y n ):d(y n ,z n )<nD}, (5) 

where d(-,-) is a proper distance measure and D is the maximum allowed per-letter distortion. 

• The payoff function is defined as the false negative error probability (Pf n ), namely: 

u(A,f) = -P fn = - ]T P Y (y n )- (6) 

ir:/(ir)eA 

Given the difficulty of studying the game defined above, a simplified version of the game is introduced 
in IfTTl wherein the set of strategies available to D is limited. More specifically, the so-called limited 
resources assumption is introduced, forcing D to base its analysis only on first order statistics of x n . 
Stated in another way, it is required that A is a union of type classes. Since a type class is univocally 
defined by the empirical probability mass function of the sequences contained in it, the acceptance region 
A can be seen as a union of types P S Pn. As an additional simplification, the constraint on the false 
positive probability is defined in asymptotic terms, requiring that Pf p decreases exponentially fast with 
a given decay rate. All these considerations lead the following definition: 

Definition 2. The HT^ s (Sd,Sa, u) game is a game between D and A defined by the following strategies 
and payoff: 

S D = {Ae 2 V - : P fp < 2" A "}, (7) 

S A = {f(y n ):d(y n J(y n ))<nD}, (8) 

u(A,f) = -P fn , (9) 



where 2^ n indicates the power set of V n . From the analysis given in IfTTl we know the following 
results. 

Theorem 1. The profile (A£ s ,/£ s ) with 

AL = [p G V n : V{P\\P X ) < A - \X\ l ° g( - n n +1) \ , (10) 
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and 



/^(y n ) = arg vain V(P zn \\P x ). (11) 

z" :d(z n ,y m )<nL) 



defines an asymptotic Nash equilibrium for the HTlf game. 

As a matter of fact, from the proof given in lim . it is easy to see that (A£ , f ks ) is the only rationalizable 
equilibrium of the game and hence HT ks is a dominance solvable game. 

A fundamental consequence of Theorem [His that the optimum strategies for D and A do not depend on 
Py hence making the assumption that Py is known irrelevant. With a few modifications, then, Theorem 
Q] can be applied to a composite hypothesis testing scenario in which only the pmf conditioned to Hq is 
known E81 . 

The second main result proven in ifTTl regards the payoff at the equilibrium, and specifies under which 
conditions it is possible for D to devise a decision strategy such that Pf n tends to zero exponentially fast 
when n tends to infinity. Let T ks be defined as follows: 

T n k ={P G V n : Vy" G T(P), 3z n € A* ks s.t. d(y n , z n ) < nD} (12) 

and let the asymptotic version of T ks be defined as 

r% = ci(\Jr n ks Y (13) 

where cl(S) indicates the closure of the set S. The following theorem holds: 



Theorem 2. For the HT l k r s game, the error exponent of the false negative error probability at the 
equilibrium is given by: 

e ks = min V(P\\Py), (14) 

pgpoo 

leading to the following cases: 

1) e ks = 0, ifPyET™; 

2) e ks ^0, ifPy$Tf s . 

where e ks indicates the false negative error exponent at the equilibrium. Given two pmf's Px and Py, 
a distortion constraint D and the desired false positive error exponent A, Theorem [2] permits to understand 
whether D may ever succeed to make the false negative error probability vanishingly small and thus win 
the game. As a matter of fact, this is possible only if Py £ T^, since otherwise e ks = 0. We will call 
T^ the indistinguishability region for Px, i.e. set of sources that under certain conditions (summarized 
by D and A) are not distinguishable from Px- 
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IV. Binary hypothesis testing game 

WITH TRAINING DATA 

The analysis carried out in ifTTI requires that Px and Py are known to D and A (as we have seen in 
the previous section, in the asymptotic case only the knowledge of Px is required). To get closer to a 
realistic scenario, we now remove this assumption introducing the hypothesis testing game with training 
data. 

Let C be the class of discrete memoryless sources with alphabet X , and let X ~ Px be a source in 
C. As for the HT^s game, the goal of D is to decide whether a test sequence x n was drawn from X 
or not. To make his decision, D relies on the knowledge of a training sequence t^ drawn from X. On 
his side, A takes a sequence y n emitted by another source Y ~ Py still belonging to C and tries to 
modify it in such a way that D thinks that the modified sequence was generated by the same source that 
generated tp. As usual, the attacker must satisfy a distortion constraint stating that the distance between 
the modified sequence and y n must be lower than a threshold. Like the defender, A knows Px through 
a training sequence t\, that in general may not coincide with tp. We assume that t^, tj[, x n and y n are 
generated independently. With regard to Py, we could also assume that it is known through two training 
sequences, one available to A and one to D, however we will see that - as for known sources and at 
least in the asymptotic case - such an assumption is not necessary, and hence we take the simplifying 
assumption that Py is known to neither D nor A. Let, then, Hq be the hypothesis that the test sequence 
has been generated by the same source that generated tp and let A be the acceptance region for Ho. 
In the following, we will find convenient to think of A as a subset of X n x X N , i.e., as the set of all 
the pairs of sequences (x n ,£^) that the defender considers to be drawn from the same source. With the 
above ideas in mind, and by paralleling the definition given in Section Jill we define a first version of 
the binary hypothesis testing game with training sequences as follows: 

Definition 3. The HTtr, a {<SD,<SA, u) game is a zero-sum, strategic, game played by D and A, defined by 
the following strategies and payoff. 

• The set of strategies D can choose from is the set of acceptance regions A for which the maximum 
false positive probability across all possible Px € C is lower than a given threshold: 

S D = {A: max P x {(x n , t%) £ A} < P fp }, (15) 

p x ec 

where Pf p is a prescribed maximum false positive probability, and where Px{{x n ,t^ ) ) ^ A} 
indicates the probability that two independent sequences generated by X do not belong to A. Note 
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that the acceptance region is defined as a union of pairs of sequences, and hence A C X n x X N . 

• The set of strategies A can choose from is formed by all the functions that map a sequence y n 
generated by Y into a new sequence z n subject to a distortion constraint: 

Sa = {f(y n , t K A ) ■ d(y n , f(y n , *f )) < nD}, (16) 

where d(-,-) is a proper distance function and D is the maximum allowed per-letter distortion. Note 
that the function /(•) depends on if, since when performing his attack A can exploit the knowledge 
of his training sequence. 

• The payoff function is defined in terms of the false negative error probability, namely: 

u(Aj) = -p fn = -J2 p y(y n ) p x(4)Px(4), en) 

»":(/&/ B ,*3f),tg)6A 
where the error probability is averaged across all possible y n and training sequences and where 
we have exploited the independence ofy n ,t^ and if. 

A. Discussion 

Before going on with the analysis, we pose to discuss some of the choices we implicitly made with 
the above definition. 

A first observation regards the payoff function. As a matter of fact, the expression in ([T7T ) looks 
problematic, since its evaluation requires that the pmf 's Px and Py are known, however this is not the 
case in our scenario since we have assumed that Px is known only through i^ and if , and that Py is 
not known at all. As a consequence it may seem that the players of the game are not able to compute the 
payoff associated to a given profile and hence have no arguments upon which they can base their choice. 
While this is indeed a problem in a generic setup, we will show later on in the paper that asymptotically 
(when n, N and K tend to infinity) the optimum strategies of D and A are uniformly optimum across all 
Px and Py and hence the ignorance of Px and Py is not a problem. One may wonder why we did not 
define the payoff under a worst case assumption (from D's perspective) on Px and/or Py. The reason is 
that doing so would result in a meaningless game. In fact, given that X and Y are drawn from the same 
class of sources C, the worst case for D would always correspond to X = Y for which no meaningful 
decision is possible^. 

3 Alternatively, we could assume that X and Y belong to two disjoint source classes Cx and CV- We leave this analysis for 
further research. 
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As a second remark, we stress that we decided to limit the strategies available to A to deterministic 
functions of y n . This may seem a limiting choice, however we will see in the subsequent sections that, 
at least asymptotically, the optimum strategy of D depends neither on the strategy chosen by A nor on 
Py, then, it does not make sense for A to adopt a randomized strategy to confuse D. 

A last, even more basic, comment regards the overall structure of the game. In our definition we 
assumed that the attacker does not intervene when Hq holds, since we restricted his interest to the false 
negative error probability. An alternative approach could be to let the attacker modify also the sequences 
generated by X in the attempt to increase the false positive rate. We could also depart from the Neyman- 
Pearson set up and define the payoff in terms of the overall error probability, or the overall Bayes risk 
defined on the basis of suitable cost functions associated to the two kinds of errorsQ While these are 
interesting research directions, in this paper we restrict our analysis to the game specified by Definition 
13 and leave the alternative approaches for future research. 

B. Game variants 

Two different variants of the HT tr , a game are obtained by assuming a different relationship between 
the training sequences. In certain cases, we may assume that D has a better access to the source X than 
A (see ||29l for a multimedia forensics scenario in which such an assumption holds quite naturally). In 
our framework, we can model such a situation by assuming that the sequence t\ is a subsequence of 
tp, leading to the following definition. 

Definition 4. The HTt rt b(<SD,SA,u) game is a zero-sum, strategic, game defined as the HTt r<a game 
with the only difference that t^ = (i,A i+u ^A 1+2 ■ ■ ■ ^AI+k) with I and K known to D. 

Yet another variant is obtained by assuming that the training sequence available to A is equal to that 
available to D. 

Definition 5. The HTt rjC (SD,SA,u) game is a zero-sum, strategic, game defined as the HTt T , a game 
with the only difference that K = N and t\ = tp (simply indicated as t in the following). The set of 
strategies of D and A are the same as in the HTt r , a game, while the payoff is redefined as: 

u(A, /) = -P fn = -^P Y (y n )Px(t N ). (18) 

t N &X N 
3/":(/fe",i"),t JV )eA 

4 In this case it would be necessary that the a-priori probabilities of the two hypotheses are known. 
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In the rest of the paper we will first focus on version c of the game, and then extend our results so to 
cover version a as well. 

C. Hypothesis testing game with limited resources 

Studying the existence of an equilibrium point for the HT tr , c game is a prohibitive task, hence we 
use the same approach adopted in |[T6l , IfTTl and consider a simplified version of the game in which D 
can only base his decision on a limited set of statistics computed on the test and training sequences. 
Specifically, we require that D relies only on the relative frequencies with which the symbols in X appear 
in x n and t , i.e. P x n and Pt«. Note that P x n and P t N are not sufficient statistics for D, since even if 
Y is a memoryless source, the attacker could introduce some memory within the sequence as a result 
of the application of /(•). In the same way he could introduce some dependencies between the attacked 
sequence z n and t N . It is then necessary to treat the assumption that D relies only on P x n and P t N as 
an explicit requirement. 

Following |fl6l and IfTTl , we call this version of the game hypothesis testing with limited-resources, 
and we refer to it as the HT^. C game. As a consequence of the limited resources assumption, A can only 
be a union of Cartesian products of pairs of type classes, i.e. if the pair of sequences (x n , t ) belongs to 
A, then any pair of sequences belonging to the Cartesian product T(P x n) x T(P t N) will also be contained 
in A. Since a type class is univocally defined by the empirical pmf of the sequences contained in it, we 
can redefine A as a union of pairs of types (P, Q) with P G V n and Q G Vn- In the following, we will 
use the two interpretations of A (as a set of pairs of sequences or pairs of types) interchangeably, the 
exact meaning being always recoverable from the context. 

We are interested in studying the asymptotic behavior of the game when n and N tend to infinity. To 
avoid the necessity of considering two limits with n and N tending to infinity independently, we will 
express A as a function of n, and study what happens when n tends to infinity. This assumption does 
not reduce the generality of our analysis, however it destroys the symmetry of the hypothesis testing 
problem with respect to the two sequences x n and t^. The consequences of this loss of symmetry will 
be discussed in Section IV-Ai 

We are now ready to define the asymptotic HTJ^ C game. Specifically, we have: 

Definition 6. The HT{j. c (Sd,<Sa, u) game is a zero-sum, strategic, game played by D and A, defined by 
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the following strategies and payoff: 

S D = {AcV n xV N : (19) 



ma,xPx{(x n ,t N ^ n >) £ A} < 2~ An |, 

Px£C 



c n ,t N(n) ) i A} <2~ An ] 
S A = {f{y n ,t N ^) : d(y n J(y n ,t N ^)) < nD} : (20) 



u(A,f) = -P fn = - J2 Py(y n )Px(t N{n) ). (21) 






Note that we ask that the false positive error probability decays exponentially fast with n, thus opening 
the way to the asymptotic solution of the game. Similar definitions can be given for versions a and b of 
the game. 

V. Asymptotic equilibrium of the HTf£ c game. 

We start the analysis of the asymptotic equilibrium point of the HTJ^ C game by determining the 
optimum acceptance region for D. To do so we will use an analysis similar to that carried out in ||2TI to 
study hypothesis testing with observed statistics. The main difference between our analysis and ||2TI is 
the presence of the attacker, i.e. the game-theoretic nature of our problem. The derivation of the optimum 
strategy for D passes through the definition of the generalized log-likelihood ratio function h(x n ,t N ). 
Given the test and training sequences x n and t N , the generalized log-likelihood ratio function is defined 

as (ED, ED1B 

N 

h(x n ,t N ) = V(P xn \\P rn+ N) + — V(P t N\\P r n+N), (22) 

n 

where P Tn+N indicates the empirical pmf of the sequence r n+N , obtained by concatenating x n and t N , 

i.e. 

f 

Xj i < n 

(23) 

tj_ n n < i < n + N 

Observing that h(x n ,t N ) depends on the test and the training sequences only through their empirical 
pmf, we can also use the notation h(P x ^,P t N). The study of the equilibrium for the RT\f T c game passes 
through the following lemmas. 

5 To simplify the notation, when it is not strictly necessary, we omit to indicate explicitly the dependence of A^ on n. 
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Lemma 1. For any Px we have: 

nT>(P x u\\P rn +N)+NV(P t N\\P r r,+N) < (24) 

nV(P x n\\P x ) + NV(Pt*\\Px), 
with equality holding if only if Px = P r ™+ N - 

The proof of Lemma Q] is given in Appendix |A] 

Lemma 2. Let A* r c £>e defined as follows: 

At >c ={(P x „P tN ): h(P x „P tN )<X-\X\ l °^ n + ^ N + i n (25) 



with 



lim MiV(n) + l) =0 

n— >oo fi 



1) maxp Y PxKx™,^) £ A^J < 2" n ( A ~^), wiffc i/ n -> 0, /or n -)■ oo, 

2) VA G 5d. we fcave A c C Aj£. 

Proof: Being A£ r c a union of pairs of types (or, equivalently, a union of Cartesian products of type 
classes), we have: 

maxP fB = max V P x (x n ,t N ) (27) 

Px Px&C ^-^ 

(x",t«)GA*- c 

= max V P X (T(P X ~) x T(P t s)). 

Px&C *-^ 

(p,»,P tN )eA^ c 
For the class of discrete memoryless sources, the number of types with denominators n and N is bounded 
by (n + 1)1*1 and (N + 1)1*1 respectively (22], so we can write: 

maxPf„ < max max (28) 

Px Px (P^,P t «)eA*^ c 

[(n + l)W(N + l)Wp x (T(P xn )xT(P tN ))) 

< (n + 1)1*1 (AT + 1)1*1 ■ 

max max 2 -n[V { P^\Px) + ^V(P tN \\P x )]^ 

Px (P x r,,p tN )eAZ% 

where in the second inequality we have exploited the independence of x n and t and the property of 

types according to which for any sequence x n we have Px(T(P x ™)) < 2~ nX> ( p ^' , ll p - ,f ) (see |[22l ). By 
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exploiting Lemma [Q we can write: 

maxP fp < (ra + l) |,v| (./V + 1)W (29) 



I'x 



max 2 ~ n] P( p * n \\ p ^^ + ^ v{ - p t N \\ p ^+»)} 

I Vl I VI /\ I v| log(n. + l)(JV + l) \ 

< (n + l) 1 * 1 ^ + l) 1 * 1 2-™( A -l*l^^r L ) 

_ 9 -n(A-2|A'| 1 ° g( " +1)(JV + 1) ) 



where the last inequality derives from the definition of A^ r c . Together with (1261 ), equation (1291 proves 
the first part of the lemma with v n = 2|,y| Iog(n+ y jV+1) . 

For any A € Sd, let (x n ,t N ) be a generic pair of sequences contained in A c , due to the limited 
resources assumption the cartesian product between T(P x n) and T(P t «) will be entirely contained in A c . 
Then we have: 

2" An >maxP 1 (A c ) (30) 

Px 

> maxP x (T(P xn )xT(P tN )) 

Px 

(ft) 2 -n[V(P in \\Px)+^V(P tN \\Px)} 

> max 



Px (n + 1)1*1 (AT + 1)1*1 



(n + 1)1*1 (AT + 1)1*1 
where (a) is due to the limited resources assumption, (b) follows from the independence of x n and t N 
and a lower bound on the probability of a pair of type classes ll22l . and (c) derives from Lemma [Q By 



taking the logarithm of both sides we find that (x n ,t ) G A^ c c , thus completing the proof. ■ 

The first part of Lemma [2] shows that, at least asymptotically, A* r c belongs to Sd, while the second part 
implies the optimality of A£ r c . An important observation is that the optimum strategy of D is univocally 
determined by the false positive constraint. This solves the apparent problem that we pointed out when 
defining the payoff of the game, namely that the payoff depends on Px and Py and hence it is not 
fully known to D. We also observe that A£ rc does not depend on t^, hence it is the optimum defender's 
strategy even for versions a and b of the HT^ game. For this reason, from now on we will simply 
indicate it as A| r . 

The most important consequence of Lemma |2] is that the optimum strategy of D does not depend on 
the strategy chosen by the attacker, that is A| r is a strictly dominant strategy for D. In turn this simplifies 
the analysis of the optimum attacking strategy. In fact, a rationale defender will surely play the dominant 
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strategy A| r , hence A can choose his strategy by assuming that D chooses A£ r . The derivation of the 
optimum attacking strategy is now an easy task. We only need to observe that the goal of A is to take a 
sequence y n drawn from Y and modify it in such a way that: 

^^)<A-l^| l0g(n + 1)(iV + 1) , (3D 

n 

with d(y n ,z n ) < nD. The optimum attacking strategy, then, can be expressed as a minimization problem, 

i.e.: 

f t * 7 , c (y n ,t N ) = arg min h(z n ,t N ). (32) 

z n :d(y n ,z")<nD 



Note that to implement this strategy A needs to know t , i.e. equation (1321 determines the optimum 
strategy only for version c of the game. 

Having determined the optimum strategies for D and A, we can state the first main result of the paper, 
summarized in the following theorem. 

Theorem 3 (Asymptotic equilibrium of the HT\l c game). The HT^ c game is a dominance solvable 
game and the profile ( A£ r , / t * r c ) is the only rationalizable equilibrium. 

Proof: Lemma |2] says that A* r is a strictly dominant strategy for D, thus permitting us to eliminate 
all the other strategies in Sd (since they are strictly dominated by A* r ). The theorem, then, follows from 
the optimality of / 4 * r c when A^ r is fixed. ■ 

A. Discussion 

As a first remark, we observe that (A£ r , / f * c ) is the unique Nash equilibrium of the game. In addition 
to the properties of Nash equilibria, however, (A£ r , f* rc ) has the desirable characteristic of being the 
only possible choice if the two players behave rationally. In fact, a rational defender will surely adopt 
the acceptance region A£ r , since any other choice will lead to a (asymptotically) higher Pf n , regardless 
of the choice made by A. On his side, a rational attacker, knowing that D will behave rationally, will 
adopt the strategy / t * c , since this is the strategy that optimizes his payoff when D plays A£ r (for more 
details on the notion of rationalizable equilibrium we refer to |[T8l , |fT9l ). 

To get a better insight into the meaning of the equilibrium point of the HT\l c game, it is instructive to 
compare it with the equilibrium of the corresponding game with known sources, namely the HTJ^ S game. 
To start with, we observe that the use of the h function instead of the divergence V derives from the fact 
that D must ensure that the false positive probability stays below the desired threshold for all possible 
sources in C. To do so, he has to estimate the pmf that better explains the evidence provided by both x n 
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and t . This is exactly the role of P r -n+N (see equation (1A3I) ). with the generalized log-likelihood ratio 
corresponding to 1 over n the log of the (asymptotic) probability that a source with pmf equal to P^+n 
outputs the sequences x n and t . 

Another observation regards the optimum strategy of the attacker. As a matter of fact, the functions 
h{P x «,Pt N ) and V(P x n ||P(«) share a similar behavior: both are positive and convex functions achieving 
the absolute minimum when P x n = P t N, so one may be tempted to think that from As point of 
view minimizing V(P x n\\P t N) is equivalent to minimizing h(P x n ,P tN ). While this is the case in some 
situations, e.g. when the absolute minimum can be reached, in general the two minimization problems 
yield different solutions. 

To further compare the HT^ C and the HTJJ S games, it is useful to rewrite the generalized likelihood 
function in a more convenient way. By applying some algebra, it is easy to prove the following equivalent 

expression for h: 

N + n 

h{P x ^P tN ) = V(P x ~\\P t ») V(P r n +N \\P tN ), (33) 

n 

showing that h(P x ™, P t N) < D(P x n\\P t N) with the equality holding only in the trivial case P x ^ = P t « ■ 

This suggests that, at least for large n, it should be easier for A to bring a sequence generated by Y 

within A£ r than to bring it within h* ks . This is indeed the case, as it will be shown in Section IVI-AI 

where we will provide a rigorous proof that the HT^. C game is actually more favorable to the attacker 

than the HT l k r s game. 

We conclude this section by investigating the behavior of the optimal acceptance strategy for different 

values of the ratio — . To do so we introduce the two quantities c x = -^^ and ct = ^77, representing 

the weights of the sequences x n and t N in r n+N . It is easy to show, in fact, that 

P rn+N = Cx P x n + ctP t N . (34) 

In the simplest case n and A^ will tend to infinity with the same speed, hence we can assume that the 
ratio between A^ and n is fixed, namely, ^ = c ^ (we obviously have c x = -^- and q = -p-.)- Under 
this assumption, the decision of D is dictated by equation d25l ) and no particular behavior can be noticed. 
This is not the case when N/n tends to or oo. 

If N/n — > 0, then _P r „+jv — > P x n and h(P x ^ , P t N ) — > 0. This means that the defender will always 
decide in favor of Hq. This makes sense since when the test sequence is infinitely longer than the training 
sequence, the evidence provided by the training sequence is not strong enough to let the defender reject 
hypothesis 0. 
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If N/n — > oo, the analysis is slightly more involved. In this case c* — > 1 and P r , 1+ N — >• P t jv, hence the 
first term in equation (|22j tends to V(P x n\\P t N). To understand the behavior of the second term of (|22l 
when n — > oo, we can use the Taylor expansion of V{P\\Q) when P approaches Q (see [23], chapter 
4), which applied to the second term of the h function yields: 

-.V{P tN \\P rn+N )~-.^ — — 

N s-^{c x P tN {x) + c x P^{x)) 2 



iV ^— \ 



2n ^—^ P rn +N(x) 

f <sr^ (Pt»(x)+i 

2(^ + l) 2 V ^- + -(x) 



(P t «(x)+P^(x)) 2 



(35) 



When N/n — > oo, the above expression clearly tends to 0, and hence h(P x n,P t N) — y V(P x n\\P t N). In 
other words, the optimum acceptance region tends to be equal to the one obtained for the case of know 
sources with Px replaced by P t N . This is also an intuitively reasonable result: when the training sequence 
is much longer than the test sequence, the empirical pmf of the training sequence provides such a reliable 
estimate of Px that the defender can treat it as the true pmf. 

One may wonder the reason behind the asymmetric behavior of the optimum decision strategy when 
the length of one between the two sequences under analysis grows much faster than the other. This 
apparent anomaly derives from the choice of analyzing the asymptotic behavior by letting n tend to 
infinity, a choice that breaks the symmetry between the test and training sequences. If we had defined the 
false positive and false negative error exponents in terms of N, the situation would have been completely 
reversed. 

In the following we will always assume that N/n = c, since from the above analysis this turns out to 
be most interesting case. 

VI. Analysis of the payoff at the equilibrium 

Now that we have derived the equilibrium point of the HTJ£ C game, we are ready to analyze the payoff 
at the equilibrium to understand who, between the defender and the attacker is going to win the game. 
Our aim is to derive a result similar to Theorem |2] so that given two pmf's Px and Py, a false positive 
error exponent A and a distortion constraint D, we can derive the best achievable (for the defender) 
false negative error exponent et r , c - Specifically, we would like to know whether it is possible for D to 
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obtain a strictly positive value of Et r ,c, thus ensuring that the false negative error probability tends to zero 
exponentially fast for increasing values of n. 

In our proofs we will find it necessary to generalize the h function so that it can be applied to general 
pmf 's not necessarily belonging to V n or Vn- By remembering that N/n = c, we introduce the following 
definition: 

h c (P,Q)=V(P\\U)+cD(Q\\U), (36) 

with 

1 + c 1 + c 

Note that when P G V n and Q € Vn, the above definition is equivalent to (l22l ). By using h c instead 
of h we can generalize the expression of the optimum acceptance region A* r so to make it possible to 
apply it to any pair of pmf 's P and Q (of course when P and Q are not empirical pmf 's the meaning 
of A£ r as acceptance region for Hq is lost): 

At = {(P,Q):h c (P,Q)<X-\X\ l ° S{n + ^ N + 1) }. (38) 

With these ideas in mind, let us introduce the set r™ rc containing all the pairs of sequences (y n ,t N ), for 
which A is able to bring y n within A^ n (for sake of clarity we use the apex n to explicitly indicate that 
A*^ n refers to pairs of sequences respectively of length n and N = en): 

K, c = {(y n ,t N ):3z n s.t 

{z n ,t N ) € A*; n and d(y n , z n ) < nD}. (39) 

By observing that Tf r c depends on t N only through P t N and by reasoning as in the proof of Property 
1 in 1171 (we need to assume that the distance measure d is permutation-invariant), we can show that 
r" rc is still a union of pairs of type classes, and hence we can redefine it as: 

T? r>c = {(P y n,P t ») : Vy" € T(P y n) 3z n s.t. 

(P z , ,P t s)€ A*; n and d(y n , z n ) < nD}. (40) 

Note that, by adopting the generalized version of A^ r in which h c is used instead of h, the above definition 
can also be applied when P t \ is replaced by a generic pmf Q not necessarily belonging to Vn- We will 
also find it convenient to fix Q and consider the set of types P x ™ for which {P x ™ , Q) belongs to A^ n 
and r" rc , that is: 

A£ n (Q) = {P x n : (P xn , Q) € A t *;"}, (41) 
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r£, c (Q) = {P r :Vy"eT(p y „) 3z n sX. 

P z ~ e A*; n (Q) and d(y n , z n ) < nD}. (42) 

The derivation of the false negative error exponent at the equilibrium passes through the following 
asymptotic extension of T^ rc {Q): 

r£ c (Q) = d \[JK r , c (Q)Y (43) 

The importance of the above definition is that for any source Px, given the false positive error exponent A 
and the maximum allowed per-letter distortion D, the set T^ c (Px) corresponds to the indistinguishability 
region of the HT^ C game, i.e. the set of all the pmf's for which D does not succeed in distinguishing 
between Hq and Hi ensuring a false negative error probability that tends to zero exponentially fast. In 
other words, if Py E T^ c (Px), no strictly positive false negative error exponent can be achieved by D. 
To prove that this is indeed the case, we need to prove the following theorem. 

Theorem 4 (Asymptotic payoff of the HT^'. C game). For the HTJ£ C game, with N/n = c and assuming 
an additive distortion measure, the false negative error exponent at the equilibrium is given by 

e tr!C = mm[c-V(Q\\P x )+ min V{P\\P Y )}. (44) 

Q Per~ c (Q) 



Proof: By using the definitions given in this section, the false negative error probability at the 
equilibrium, for a given n, can be written: 

Pfn = E p *( t7V ) E p y(y n ) 

= J2 p x(nQ)) E Py( T (P))- (45) 

Q&Vn Per? TtC (Q) 

We start by deriving an upper-bound of the false negative error probability. By exploiting some well- 
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known bounds on the probability of a type class and the number of types in V n 11221 . we can write: 
P fn < J2 P x(T(Q)) E 2-^11^) 

-n min V(P\\Py) 

< J2 Px(T(Q)){n + l)\ x \2 Per - (Q) 
QsVn 

-n min T>(P\\P Y ) 

< J2 Px{T{Q)){n + \)\ x h Per - (Q) 
QePiv 

< (n + l) l * l (iV + 1)1*1 

-n min [~£>(Q||P X ) + m i n DfPllPy)] 

< (n + l) l * l (iV + l) 1 * 1 

nmm[cV(Q\\P x )+ min D(P||P y )] 



JcC 



•2 ^ ^ ff , e l«« ; (4Q 

where the last inequality is obtained by minimizing over all Q without requiring that Q € Vn- By taking 
the log and dividing by n we find: 

- ^^ > min [cD{Q\\P x ) + min D(P\\P Y )] + a n , (47) 

with a n = |^| _£giH — >A 1 tending to when n tends to infinity. 

We now turn to the analysis of a lower bound for Pj n . Let Q* be the pmf achieving the minimum 
in (1441) . Due to the density of rational numbers within real numbers, we can find a sequence of pmf 's 
Qn £ Pn that tends to Q* when n tends to infinity. By remembering that N = nc, the subsequence 
Qn = Qnc will also tend to Q* when n (and hence N) tends to infinitjlj. Let us now consider the 

6 In order to simplify the analysis, we assume that c is a non-null integer value, the extension of the proof to non-integer 
values of c is tedious but straightforward. 
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following sequence of inequalities: 

(a) __ __ 2~ nV ^ P ^ 

p fn > E *<W)) E T^nyp^- 

QeP« Per ?r . c (Q) l ^ ; 

-n min X>(P||P>0 

a E ftwo) ( , i + 1)W 

Qev N v T ; 

-n min V(P\\P Y ) 

(6) 2- 7VX, ( < 3H p - x ) 2 Per ^ (Q) 



E 



-n[c£>(Q||P x )+ min Z>(P||Py)] 
9 Per» c (Q) 



(tf + l)l*l(n + 1)1*1 

-n[cD(Q JV ||Px)+ min 2?(P||P V )] 
(c) 2 p er? r , c Wjv) 

- (JV + l)l*l(n + 1)1*1 ' 

where inequalities (a) and (b) derive from a known lower bounds on the probability of a type class 
and in (c) we have replaced the sum with a single element of the subsequence Qn defined previously. 
By taking the log and dividing by n, we obtain 

_logP£n < C V{Q N \\P X )+ min V{P\\Py) + Pn, (49) 

n Per? r:C (Q N ) 

where (3 n = \X\-^^ — " '- tends to when n tends to infinity. To continue, let P* be defined as 



follows 



P* = arg min V(P\\P Y ). (50) 



In Appendix IB1 we show that it is possible to find a sequence P n , where each P n belongs to T^^Qn), 
that tends to P* when n tends to infinity. By starting from equation (|49l and by exploiting the continuity 
of the divergence function, for n large enough we can write 

log Pfn 



n 



< cV(Q*\\P x ) + (3' n + V(P n \\P Y ) + P n , (51) 

< cV(Q*\\P x ) +(3' n + V{P*\\Py) + P n + p n , 

where all the sequences (5 n , f3' n and /3" tend to zero when n tends to infinity. 

By coupling equations (|47T ) and (f5TT > and by letting n — > oo, we eventually obtain: 

lop" P 

- lim fe /n =min[c-£>(Q||P x ) + min D(PlliV)], (52) 

n^oo n Q Per t ~ c (Q) 

thus proving the theorem. ■ 
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According to Theorem |4] we can distinguish two cases depending on the relationship between Px and 
Py. 

1) Py € T™ C (P X ) then s tr>c = 0; 

2) P Y i T^ C (P X ) then Str , c > 0. 

In the former case, which is obtained by letting Q* = Px, it is not possible for D to obtain a strictly 
positive false negative error exponent while ensuring that the false positive error exponent is at least equal 
to A. In the latter case, it is not possible that the two divergences in (1441 are simultaneously equal to zero, 
hence Pf n tends to exponentially fast. In other words, given A and D, the condition Py ^ T^ c (Px) 
ensures that the distance between Py and Px is large enough to allow a reliable distinction between 
sequences drawn from Px and sequences drawn from Py despite the presence of the adversary. As 
anticipated, then, T^ c (Px) is the indistinguishability region of the HTJ£ c game. 

A. Comparison between the HT^ S and HT^ C games 

In this section we compare the asymptotic performance achievable by D for the HTJJl. and HT^ C 
games. We start the analysis by comparing the indistinguishability regions of the two games, namely 
r^(Px) and Tfr C (Px) (where, as opposed to Section JIIJ we now explicitly indicate the dependence of 
r- on P X ). 

The comparison between the two regions relies on the comparison between the divergence and the 
generalized likelihood function. In particular, the starting point of our analysis is the following lemma. 

Lemma 3 (Relationship between h c and V). Let N/n = c, with c/ 0, c / oo, for any P ^ Px we 
have, 

h c {P,Px)<V{P\\P x ). (53) 

Proof: By rewriting h c (P,Px) as in equation (|33l , we have: 

h c (P,P x )=V(P\\P x ) - (1 + c)V(U\\P x ) (54) 

with U = P/(l + c) + cPx/(l + c), which is equal to Px if and only if P = Px, when we have 

V{U\\P X ) = thus yielding h c (P,P x ) = V(P\\P X ) = 0. ■ 

In the subsequent proofs we will refer to the way the mapping function / operates on y n to produce 
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M 



z'X\. Specifically, we will indicate with nf(i — >• j) the number of times that / transforms the i-th symbol 
of X into the j-th one. The main result of our analysis is stated in the following theorem. 

Theorem 5 (HT^ C vs HT ks ). For any finite, non-null value of c, any Px, A > and D we have 

Tf s {P x ) c TTrAPx). (55) 



Proof: We will prove the theorem by first showing that T^ s (Px) C T^ c (Px), and then finding at 

least one point (actually an infinite set of points) that belongs to T^ c (Px) but does not stay in T^ s (Px)- 

Let y n be a sequence such that P yn e T ks (Px), this means that a mapping f n exists that transforms 

y n into a sequence z n belonging to A* k '™(Px), while satisfying the distortion constraint. Let now m be 

a multiple of n (m = kn). For k large enough we have 

A |,Y| log ( re + 1 ) < A I Y i 1 °g( m + 1 )( cm + 1 ) (56) 

n m 

Since P z n e A* k '™(Px), Lemma [3] permits us to write: 

h c (P z ^P x ) < V{P zn \\P x ) (57) 

< A-|*| lQg(n + 1) 
n 

log(m + 1)(C771 + 1) 



< \-\X\ 



m 
Given that m is a multiple of n, any P G V n also belongs to V m , permitting us to conclude that 

P 2 « € A^ m (Px)- Let now y m be an m-long sequence having the same type of y n (this is surely possible 

since m is a multiple of n). If we apply to y m a mapping function v m for which n v ™. (i — y j) = krij™ (i — > 

j), the sequence z m = v m (y m ) will have the same type of z n , and hence by virtue of equation (1571 ) 

P z m g A^ m (Px)- In addition, the mapping v m introduces the same per-letter distortion of f n for any 

additive distortion measure, permitting us to conclude that P y ™ £ T™ c {Px)- In summary, we have shown 

that for any P E T^ s {Px) an m = kn exists such that P € T™ c (Px), and hence: 

r? s (Px) = cl\\JT n ks (Pxyj (58) 

c ci(nr™ c (Px))=r% c (Px). 

7 To keep the notation as light as possible we will not distinguish between mapping functions used for the known source case 
and those applying to hypothesis testing with training sequences, even if, rigorously speaking, these are quite different functions 
since the latter also depend on the training sequence t . 
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We now prove that there is at least one point that belongs to T^ c (Px) but does not belong to Vj£,(Px) 
(actually there is an infinite number of such points). To do so let us consider a point P* belonging to 
the boundary of T^ c (Px)- Since by definition T^ c (Px) is a closed set, P* will also belong to it. Due 
to Lemma l4l (Appendix iBl). we can find a sequence of types P l n G T^ rc (Px) that tends to P* from the 
inside of F^ c (Px)- On the other hand, since P* lies on the boundary of the closed set r^ c (Px), any 
ball centered in P* will contain an infinite number of points that do not belong to T^ c (Px)- Due to 
the density of rational numbers in real numbers, it is possible to define an outer sequence of types P° 
tending to P* , for which P° € V n and for which no mapping function exists that when applied to the 
sequences in the type class of P° moves them into A^ n (Px) with a per-letter distortion equal or lower 
than D. In other words, for any sequence y n € P° and any (distortion-limited) mapping f(y n ) = w n we 
have 

MW*)> A- \X\ Mn + lXcn + l) (59) 

n 

Let f n be the sequence of optimum mapping functions that applied to the sequences in T(P^) results in 
a sequence z n for which h c (P z ^,Px) < A — |«Y|[log(n + l)(cn + l)]/n. 

Given that P z n is obtained by transforming sequences belonging to a sequence of types tending to the 
limit type P* , by continuity we can say that the sequence of types P z « will also converge to a type, say 
P*. Let us assume now that P* / Pxu- Of course we also have P z n ^ P x (at least for large n). Then, 
by Lemma [3j and due to the continuity of the h c function, we have 

V{P z ,\\P X )-h c {P z ,,Px)=T n , 

v(p:\\p x )-h c (p:,p x ) = T, 

lim r n = t, (60) 

n— >-oo 

where r is strictly larger than 0. 

Let us now consider the outer sequence P°. Since both P„ and P° tend to P* , for n large enough, P„ 
and P° will become arbitrarily close. By continuity, if we apply the samdj /" to a sequence in T(P°), 

8 It is always possible to find a point P* for which this is true, unless the optimal acceptance region asymptotically reduces 
to the single point Px- This would be the case if we let A — > 0, a situation that is not considered in the present analysis. 

'Rigorously speaking it is possible that /" can not be applied as is to the sequences in T(P£), since we have to ensure 
that, for each i, nfn (i —t j) is not larger than the number of symbols i in the to-be-mapped sequence. However, given the 
closeness of the sequences in P„ and P° the modifications we need to introduce within /" are minor and our arguments still 
work. Readers may refer to Appendix A in 0171 for a detailed proof of how the closeness of types can be exploited to ensure 
that the types of the remapped sequences are also close to each other. 
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we will obtain a sequence w n whose type is arbitrarily close to P z n , let us indicate it by P w n (we can also 
say that P w n — > P*). Due to the continuity of the h c function, h c (Pz n , Px) and h c {P W " , Px) will also be 
arbitrarily close; h c (P w ™,Px), though, will be larger than or equal to X — \X\(\og(n+l)(cn+l))/n, since 
w n has been obtained by starting from a point belonging to P°. This, in turn, means that h c (P z n,Px) 
will be arbitrarily close to A — |A?|(log(n + l)(cn + l))/n (though lower than that). In other words, for 
any 5 > 0, when n is large enough, we have 



n J 

If n is large enough, then, for all the sequences in T(P^) we have: 



< S. (61) 



V{P zn \\P x ) = h c (P z «,Px)+T n (62) 

> A — \X\ + T n 

n 

> A, 

where for the last inequality we have exploited the fact that for large n, 5 can be made arbitrarily small, 
log(n)/ra tends to and r n tends to r > 0. As a result, for large n, P % n <£ F™ s (Px), for any m and hence: 

pii{jn s {Px). (63) 

On the other hand, P^ can not belong to the closure of U n T^ s (Px) (and hence to T^ s (Px)), since in 
this case we could find a new sequence of types arbitrarily close to P^ which could be moved within 
Ajlj'j 1 . By continuity, then, P^ could also be moved within A* k '™ for some n thus contradicting (l62l ). It 
goes without saying that, a fortiori, no point P* on the boundaiy of T^ c (Px) belongs to r^ s (Px). ■ 
Theorem [5] has two simple corollaries. 

Corollary 1. For any pmf P belonging to the boundary of T^ s (Px) there exists a positive value e 
such that B(P,e) C T^ c (Px), where B(P,e) is a ball centered in P with radius e. In the same 
way, for any pmf P belonging to the boundary of T^ c (Px) there exists a positive value e such that 

B(p,e)nr%(p x ) = b 

Proof: It follows immediately from the proof of Theorem [5] ■ 

Corollary 2. Let £^ s and St rc denote the error exponents at the equilibrium for the HTj? s and HT{j. c 
games. Then we have: 

£tr,c < Efcs, (64) 
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where the equality holds if and only if Py £ r?°(Px'), when both error exponents are equal to 0. 

Proof: The corollary is obvious when Py € F^ C (P X ), since in this case e tr , c = and e ks = if 
Py € r^(Px) and nonzero otherwise. If Py ^ T^ C (P X ), by considering the expression of the error 
exponent for the HT£ c game we have: 

e tr , c = mm[c ■ V(Q\\P X ) + p mm^ V(P\\P Y )} (65) 

< cD{P x \\P x )+ min V(P\\P Y ) 

pgr- c (p x ) 

( = } min V(P\\P Y ) 

< min V{P\\P Y ) = e ks . 

P&Z(Px) 

where the last strict inequality is justified by observing that the absolute minimum of V(P\\Py) is 
obtained for P = Py which lies outside T^ C (P X ), hence due to the convexity of V and Corollary [Q 
the value P satisfying the minimization on the left-hand side of equality (a) belongs to the non-empty 
set {T%. c (P x )/Tf s (P x )}. M 

Theorem [5] and Corollary |2]permit us so to conclude that hypothesis testing with training data is more 
favorable to the attacker than hypothesis testing with known sources. The reason behind such a result is 
the use of the h function instead of the divergence, which in turns stems from the need for the defender 
to ensure that the constraint on the false positive error probability is satisfied for all P x G C. It is such 
a worse case assumption that ultimately favors the attacker in the HTJ£ c game. 

VII. Binary hypothesis testing game with independent training sequences (HT^ a ). 

We now pass to the analysis of version a of the HTJ£ game. We remind that in this case D and A 
rely on independent training sequences, namely t^ and t^. As for version c, we assume that both N 
and K grow linearly with n and that the asymptotic analysis is carried out by letting n go to infinity. 
Specifically, we assume that N = en and K = dn. As we already noted in Section [V] the strategy A| r 
identified by Lemma [2] is optimum regardless of the relationship between t^ and t\, hence the only 
difference between versions a and c of the game is in the strategy of the attacker. In fact, now the attacker 
does not have a perfect knowledge of the acceptance region adopted by the defender, since such a region 
depends on the empirical pmf of t^ which A does not know. 

A reasonable strategy for the attacker could be to use the empirical pmf of t^ instead of the one 
derived from t^- More precisely, by using the notation introduced in Section [VI] (equation (|4TT)). the 
attacker could try to move y n into A^ n (P t K), while the acceptance region adopted by the defender is 
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A^ n (P 4 Jv). Given that tp and t A are generated by the same source, their empirical pmf' s will both tend 
to Px when n goes to infinity, and hence using A^ n (P t K) should be in some way equivalent to using 
A^ n (P i iv). In fact, in the following we will show that, given Px, D and A, the indistinguishability region 
for version a of the game, let us call it V^ a (Px), is identical to the indistinguishability region of version 
c. Of course, this does not mean that the achievable payoff for the HT^ a game is equal to that of the 
HTfr. c game, since, even if the indistinguishability region is the same, outside it the false negative error 
exponent for case a may be different (actually larger) than that of case c. 

We start our analysis by assuming that c = d (and hence N = K), i.e. the training sequences available 
to the defender and the attacker have the same length. Our goal is to investigate the asymptotic behavior 
of the payoff of the HT^. a game for the profile (A^ n (P t iv), /), where the, not necessarily optimum, 
strategy / adopted by the attacker is defined as: 

f(y n ,t%) = BXg min h(P zn ,P tl ). (66) 

z n :d(z",y Tl )<nD A 

We also impose the additional constraint that for any permutation a we have: 

j(o(y n ),t N A ) = o(f(y\t N A )). (67) 

By following the same flow of ideas used in Section |VI1 we consider the set of sequences for which the 
attacker is able to move y n within the acceptance region A^ n (P i w), i.e.: 

f t " = {(y n ,t N D ,t N A ) : ]{y n ,t N A ) € A* t ; n (M}. (68) 



Thanks to the additional constraint in equation (I67I ). and by reasoning as in the proof of Property 1 in 
ifTTl . it is easy to show that r" ra is a union of triple of type classes^ hence permitting us to redefine 
Tf r a in terms of types. Similarly to version c of the game, we find it useful to introduce the following 
definition: 

V^GT(P r ), (/(yVM)eAn- 

10 The necessity of imposing that / commutes with permutations comes out when for a certain y n the minimization in l |66t 
has several solutions {^"(1) . . .z n (k)}, some of which, say the first m, fall within A^"(P t jv) while the others don't. If we 
consider <j(y n ) instead of y n , {a(z n (l)) . . . a(z"(k))} will still be solutions of the minimization problem. In addition, the first 
m sequences will still belong to A^"(P t jv), while the others will not. If we want that T" r>a is a union of triple of type classes, 
it is necessary to require that when y n is permuted / continues to pick up a minimizer inside (or outside) A*^ n (P t iv). This is 
surely the case if f{a{y n ), t N A ) = a(f(y n ,t%)). 
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By using the generalized function h c instead of h, we can apply the above definition to any pair of pmf 's. 
Specifically, given two pmf 's Q and R, we define: 

fl, a (Q,R) = {P^€V n : (70) 

Vy n eT(P yn ),(f(y n ,R),Q)eAZ n . 

It is easy to see that: 

f£ >a (Q,J*) Cf S, a (Q,Q) (71) 

fg., fl (Q,Q)=r^, c (Q), 

since when (and only when) Q = R A performs its attack by using exactly the same acceptance region 
adopted by D, while in all the other cases he can rely only on an estimate based on its own training 
sequence. Paralleling the analysis of the HT^ C game, we introduce the set 

t% ta (Q,R) = d \\jfl, a (Q,R)) (72) 

for which, thanks to (ED, we have f^ a (Q,R) C fg? j0 (Q,Q) = T^ C {Q). 
We are now ready to prove our main result regarding the HT^ a game. 

Theorem 6 (Asymptotic payoff of the HTf£ a game). The error exponent of the payoff associated to the 
profile (A^ n (P 4 w), f(-,tj[)) is lower (upper) bounded as follows 

e tr , a > min {c[V(Q\\P x ) + V(R\\P X )] (73) 

+ min V(P\\Py))}, 
Per% ia (Q,R) 

e tr , a <mm[2c-V(Q\\P x )+ min V(P\\P Y )]. (74) 

Q eC Per% ta (Q,Q) 

Proof: The proof is similar to the proof of Theorem @] with the noticeable difference that now 
the lower and upper bounds are different hence preventing us to derive a precise expression for the 
error exponent. Let us start with the lower bound. By recalling the definition of the false negative error 



April 9, 2013 DRAFT 



IEEE TRANSACTIONS ON INFORMATION THEORY 32 



probability, for any n we can write: 

= E E^^))^^)) E jvcw) 

QeV N ReP N Pef? r>a (Q,R) 

<EE Px(T(Q))Px(T(i?)) 

-n min X>(P||P y ) 

•(n + 1)1^2 Pef -,o<«-«) 

< ^ P x (T(Q))(n + 1)W(JV+ 1)W 

Q&Vn 

-n min [cD(P||P Y )+ min V(P\\P Y )] 
„ Hg-Pjy per" IQ,«) 

• 2 - 

<(n + l)l*l(JV+l) 2 l*l 

-n min [cV{Q\\P x )+cV(R\\P x )+ min Z>(P||Py))] 
^ Q,j?.ec p 6 f R. 1 »«. R ) /-7C\ 

where in the last inequality we replaced the minimization over all Q and R in "P^r, with a minimization 
over the entire space of pmf 's. By taking the logarithm of both sides and by letting n tend to infinity, 
the lower bound in equation d73T l is proved. 

We now turn the attention to the upper bound. To do so, let Q* be the pmf achieving the minimum in 
equation (T74b . Due to the density of rational numbers within real numbers, we can find two sequences 
of pmf's Q n and R n that tend to Q* when n tends to infinity, and such that Q n € V n , R n G V n ^n. 
By remembering that N = nc, we can say that the subsequences Qn = Qnc and Rn = R nc also tend 
to Q* when n (and hence N) tends to infinity. We can, then, use the subsequences Qn and Rn to write 
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the following chain of inequalities: 



p fn= E E^CWiMTCfl)) E p y( T ( p )) 

Qer N Rev N Pef? r>0 (Q,J?) 

2 -nX>(P||Py) 

>^^P l( T(Q))P im ^ 
qsPnR&Pn per ? r , a (Q,R) v 

-n min £>(P||P y ) 
(a) ._, ._, o Pef "r,<,C«- Ji ) 

> E E^( T (Q))^(^)) (w+1) ^i 

-n[cD(R\\P x )+ min Z>(P||Pr)] 

9 Pef "r.o (Q ' 7? ' 



^ E E p ^( r ^)) 



(N + 1)1-1 („ + 1)1*1 

-n[cX>(R N ||Px)+ min X>(P||P Y )] 
(6) 9 p erj> ra (Q,H N ) 

* E*Cr«» (JV + 1)W( „ + 1)I ,, 

-n[cr>(Q||P x )+cI5(P J v||P x )+ min V(P\\P Y )] 

- q E n (JV + l) 2 W(n + l)W 

-n[cD{Q N \\P x )+cV{R N \\P x )+ min X>(P||Py)] 

(c) 2 Per^ ra iQ N ,R N ) 

~ (iV + l)2|^l( n + 1)1*1 ' (76) 

where inequalities (a), (6) and (c) have been obtained by replacing the summation with a single element 
of the sum (two elements of the sequences Qn and Rn for (b) and (c)), and the others rely on a known 
lower bound on the probability of a type class ((22], chapter 12). By taking the logarithm of each side 
in (P76l ). we can write: 

etr,a < cV{Q N \\P x ) + cV(R N \\P x ) 

+ min V{P\\Py) + fa, (77) 

Per^ a (Q N ,R N ) 

with /3 n = [2\X\ log (AT + 1) + |A?| log(n + l)]/n tending to for n ->• oo. Let then P* be defined as: 

P* = arg min V(P\\P Y ). (78) 

^6f« a (<9*,Q«) 

By recalling that both Qtv and Pat tend to Q* for increasing N, we can invoke Lemma [5] in Appendix 
O to build a sequence P n such that each term of the sequence belongs to Tf ra (QN, Rn) and P n — > P* , 
when n — > oo. By recalling that 

Q* = argmin[2c-P(Q||P X )+ min V(P\\P Y )], (79) 

Q eC Pef~ a (Q,Q) 
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and by reasoning as in the proof of Theorem @] (equations (|5H and (l52l and discussion therein), we can 
eventually prove the upper bound (l74l l. ■ 

Theorem [6] has an important corollary. 

Corollary 3 (Indistinguishability region for HT^ a ). The false negative error exponent associated to the 
profile (Aj,I n (P t iv), f(-,tj[)) is equal to zero if and only if Py S T^ a (Px, Px) = r^ c (-Px)» and hence 
the indistinguishability region of the HT^. a game is equal to that of the HT^ C game. 

Proof: From the upper bound in Theorem [6] it follows that e ira = if Py £ T^ a (Px, Px), whereas 
from the lower bound we see that e ira = implies that Py € T^ a (Px,Px)- ■ 

Corollary |3]provides an interesting insight into the achievable performance of the HT^. a game. While, 
in general, version a of the game is less favorable to the attacker than version c, since in the latter case the 
attacker knows exactly the acceptance region adopted by the defender, if the attacker adopts the strategy 
/, the indistinguishability regions of the two games are the same. Such a strategy, then, is optimal at 
least as far as the indistinguishability region is concerned. On the other side, there is no guarantee that 
the attacker can achieve the same payoff as for version c. 

A. Training sequences with different length 

We conclude this section by discussing briefly the case in which the training sequences t 1 ^ and t 1 ^ 
have different lengths, i.e. c / d. To simplify the analysis we assume that c is known to the attacker, in 
this way A knows at least the exact form the h c function used by D. We focus on the following attacking 
strategy: use the training sequence t^ to estimate P t « and use the estimate to attack the sequence y n . 
Specifically, the attacker may use the following estimate of P t N : 

1 



P t N(i) 



P t K{i)-N 



\fi = l...\X\-l, 



1*1-1 
P t ,(\X\) = l- J2 p t$(i), (80) 

8=1 

to implement the attacking function: 

/(!/",*£) = arg min h c (P z n,P t *). (81) 

z n :d(z n ,y n )<nD 

With the above definitions, we can easily extend the analysis carried out for the case c = d and obtain 
very similar results. Specifically, the upper bound in Theorem [6] can be rewritten as: 

e t r,a<mm[(c + d)-V(Q\\Px)+ min V(P\\Py)), (82) 

<2 £C Pef~ Q (Q,Q) 
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whose proof is practically identical to the proof of Theorem [6] and is omitted for sake of brevity. By 
observing that the performance achievable by the defender in version a of the game are at least as good 
as those achievable in version c, since in the latter case A knows exactly the acceptance region adopted 
by D and hence his attacks will surely be more effective, equation (l82l ) allows us to conclude that the 
indistinguishability region is equal to that obtained for the case c = d. 

We end this section by considering briefly version b of the game. In some sense, we can say that 
version b is halfway between versions a and c. Like in version a, the attacker does not have a perfect 
knowledge of the training sequence used by the defender and hence he must resort to an estimate of the 
true acceptance region. On the other hand, the situation is more favorable to the attacker with respect 
to version a with d < c, since now D knows at least part of the training samples used by D. Given 
that versions a and c of the game have the same indistinguishability region, we can conclude that the 
indistinguishability region of version b will also be the same. 

VIII. Concluding remarks 

The need to protect the cyberworld that surrounds us has spurred researchers to look for suitable 
countermeasures against the ever increasing number of attacks that every day are brought against the 
digital world we live in. In many cases, though, research has focused on specific security threats, each 
time by developing tailored solutions that can not be easily extended to other scenarios. It is no surprise, 
then, that similar solutions are re-invented several times , and that the same problems are faced with again 
and again by ignoring that satisfactory solutions have already been discovered in contiguous fields. Even 
worse, the lack of a unifying view does not permit to grasp the essence of the addressed problems and 
work out effective and general solutions to be applied with limited effort to different fields. Times are 
ripe to develop general tools and models that can be used to analyze very general classes of problems 
wherein the presence of an adversary aiming at system failure can not be neglected. 

As a first attempt in this sense, we have introduced a framework to analyze the achievable performance 
of binary hypothesis testing in an adversarial setting, i.e. when an adversary is present with the explicit 
goal of degrading the performance of the test. We did so by casting the hypothesis testing problem into 
a game-theoretic framework. In this way, in fact, we have been able to define rigorously the goals and 
constraints of the two contenders, namely the analyst, a.k.a. the defender, and the adversary or attacker. 
More specifically we introduced several versions of the hypothesis testing game, by paying attention 
to distinguish between hypothesis testing with known sources and hypothesis testing with training data. 
Given that a problem very similar the former case has already been studied in ifTTl , we then focused on 
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hypothesis testing with training data (the HT tr game). From a more technical point of view, we derived 
the asymptotic equilibrium point of various versions of the game, and analyzed the achievable payoff at 
the equilibrium. In addition to shedding a new light on the achievable performance of hypothesis testing 
in an adversarial environment, the analysis we carried out has the merit to clearly show the potentiality 
of the use of game-theoretic concepts coupled with tools typical of information theory and statistics. 

Several directions for future research can be pointed out. The extension of our analysis to multiple 
hypothesis testing and classification is one of the most promising research directions, together with the 
extension to games characterized by more than two players. The analysis of situations in which the 
players do not have a perfect knowledge of the strategies available to the other players, or even the 
payoff function, by modeling the problem as a game with imperfect knowledge is another interesting 
research direction. The investigation of sequential games, in which the players move repeatedly each 
time by exploiting the result of the previous round of the game also offers many interesting hints for a 
fruitful research. 

From a more focused perspective, it would be interesting to study specific instances of the HT tr game, 
in which the sources belong to a specific class, e.g. binary sources. We predict that in this way simpler 
expressions of the equilibrium point, the achievable payoff and, most of all, the indistinguishability 
region could be obtained, thus permitting to get additional interesting insights. Finally, we mention the 
opportunity of extending the analysis to the case of continuous sources. While the general ideas would 
remain the same, passing from discrete to continuous sources does not seem to be a trivial step, since 
our analysis relied heavily on the method of types, whose extension to continuous sources, though not 
impossible, comes with a number of additional difficulties. 
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Appendix 
A. Proof of Lemma [7] 

We start by remembering that for memory less sources we have ( 1221 . chapter 12): 

nV(P xn \\P x ) = -\og{P x (x n ))-nH(P xn ). (Al) 

By applying the above property to the right-hand side of equation d24l ). we obtain: 

nV(P xn \\P x ) + NV(P tN \\P x ) = (A2) 

- nH{P x n) - NH(P t N) - logP x (r n+N ), 

where we have used the memoryless nature of P x due to which P x (r n+N ) = P x (t N ) ■ P x (x n ). For 
any P x € C, we also havd_J: 

Px{r n+N ) < n J P r n +N (a) 7V -" +N(a) , (A3) 

where /V r n+iv(a) indicates the number of times that symbol a appears in r n+N , and where equality holds 
if and only if P x (a) = P r n+jv(a) for all a. By applying the log function we have: 

log P x {r n+N ) < log Yl P rn+N {a) N ^ N ^ (A4) 

= logJ] P r „ +N (a)^"W +JV ^°» 
aex 

= ^A^(a)logP rn+ «(a)+ 
aex 



J2N t N(a)\ogP r n +N (a). 



a<=X 

"Relationship ( IA3t can be proved, for instance, by exploiting the inequality In a; > (1 — 1/x) (where the equality holds if 
and only if x = 1). 
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By inserting the above inequality in (IA2b . and by using the definition of empirical KL divergence, we 
obtain: 

nV(P xn \\P x ) + NV{P tN \\P x ) (A5) 

^" a log * 7 + ^ iV> a log -i y 

= nV(P x n\\P r n+ N ) + NV(P t N\\P rn+ N), 

where the equality holds if and only if Px = P r n+N, thus completing the proof. 

B. Topology of T£ C (Q) 

Many of the proofs in the body of the paper relies on the following lemma. 

Lemma 4. Let {Qjv(n)} be a sequence of pmf's such that Qjv(n) ~~ ^ Q w/zen n — > oo. r/ie«, /or a«v pm/ 
P* in T^ C (Q) a sequence P n exists such that P n G r^ c (Qjv( n )) for each n and P n — >■ P*. 

Proof: To prove the lemma, we will show that for any s > and n large enough, we can find a 
pmf P n G rj l rc (QAr(n)) sucn that d(P n ,P*) < e. Specifically, we will do so by assuming that P* G 
U n T™ rc (Q). If this is not the case, in fact, by the definition of T^ C (Q), it is possible to find a pmf 
P' G U n r" rc (Q) that is arbitrarily close to P* , and then a pmf in r^. c (Qiv(n)) that is arbitrarily close 
to P' and hence to P*. Let then P* belong to rj" c (Q) for some m. This means that for any sequence 
yin g ^(P*) a mapping / exists that transforms y m into a sequence z m such that 

h c (P z m,Q) = \-5 m -S (A6) 

with 5 m = |r ; f|[log(m + l)(N(m) + l)]/m and where 5 is a strictly positive quantity. Due to the density 
of U n V n in set of all pmf's, we can find a sequence of pmf's P n that tends to P* when n tends to infinity 
and for which P n G V n for each n. Let y n be a sequence in T(P n ). Let n/(z — > j) indicate the number 
of times that the mapping / transforms the i-th symbol of the alphabet into the j-th one. By starting 
from the mapping /, for each n we build a mapping v ( n > for which n v ( n ) (i — > j) = \rif(i — > j) ■ n/m\. 
When n increases the type of z n = v^ n '(y n ) will approach that of z m = f(y m ) for any y m in P*. 
By remembering that Qn(u) ~~ ^ Q when n tends to infinity, and by exploiting the continuity of the h 
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function, we can write: 

h c (P z n,Q N(n) ) = h c (P zn ,Q) + p' n (A7) 

= h c (P zm ,Q) + f3> n + p>> 

= \-5 m -5 + p' n + Pl 

where /3' n and /3" tend to zero when n — > oo. Given that 5 is a fixed and strictly positive number, we 
conclude that when n is large, P z n belongs to A" r (Qjv(n) ) an ^ nence Pn belongs to Tf rc (Q N r n -j), thus 
completing the proof. ■ 

C. Topology of T%JQ,Q) 

The analysis of version a of the hypothesis testing game needs that lemma [4] is generalized as follows. 

Lemma 5. Let {Qnua} and {-Rjv(n)} b e two sequences ofpmf's such that Qjv(n) ~~ ► Q an d P-N(n) ~~ ^ Q 
as n — > oo. Then, for any pmf P* in F^ a (Q, Q) a sequence P n € ^tra(QN(n)j PjV(n)) exists such that 

Pn -> P*. 

Proof: Given the definition of T^ a (Q, Q) as the closure of \J n T™ r a (Q, Q), we proceed as in Lemma 
SI and limit our proof to the special case in which P* € |J n f " r]0 (Q, Q). Let then P* belong to f ™ a (Q, Q) 
for some m. This means that for any sequence y m G T(P*) the function 

/V\Q) = arg min h c (P z n>,Q) (A8) 

2 m :ii(z m ,!/ m )<mD 

maps y m into a sequence z m such that 

h c (P zm ,Q) = X-5 m -5, (A9) 

with <5 m = |Af|[log(m + l)(N(m) + l)]/m and where 6 is a strictly positive quantity. Due to the density 
of rational numbers in the real line, we can find a sequence of pmf 's P n that tends to P* when n tends to 
infinity and for which P n £ V n for each n. Let u n be a sequence in T(P n ). By reasoning as in Lemma 
IH we can define a, distortion-limited, mapping u for which n v {i — > j) = \nAi — > j) • n/mj. As we 
have shown in Lemma 01 when n is large, v brings the sequence u n into a sequence w n S A^ r ' n , so that, 
for any Qjv(n) ~~ ^ Q an d n large enough, we have: 

h c (P w n,Q Nin) )=\-5 m -S + P' n , (A10) 

with (3' n approaching zero when n increases. This, however, is not enough to ensure that P n € ^(Qjvfn)! Pjv(n))> 
since for this to be the case the minimization (IA8I ) has to be carried by using R^in) instead of Qjv(n)> 
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and so there is no guarantee that the optimum mapping function will be v (or another mapping better than 
that). Despite this observation, we can exploit the fact that i?j\r(n) tends to Q when n tends to infinity, to 
show that indeed, for large n, P n <G I^. a (Qjv(n),.R./v(n))- Given u n G P n , let r n be defined as follows: 

r n = arg min h c (P rn ,R N(n) ). (All) 

r":d(r",ti")<nD 

Since both Qjv(n) an d -Rjv(n) tend to Q, when n increases they will get arbitrarily close to each other. 
By exploiting the continuity of the h c function, we can write the following chain of inequalities: 

h c (P r n,Q N(n) ) < h c (P r ,,R N{n) ) + ^ (A12) 

(6) 

< h c (P w n.,R N (j^) +/3 n 
<h c (P w ,,Q N{n) ) + (3'; + ^ 

QX-Sn-S + fc + fli + fll 

<X-6 n - 6 + & + % + /%', 

where P' n , f3'n and (5™ can be made arbitrarily small by increasing n, and where (a) and (c) derive 
from the continuity of the h c function and from the fact that Qn/ u \ and i?jv( n ) ten d to the same limit, 
(6) is due to the fact that r n is the solution of the minimization in (IA1 lb . (d) derives from (lAlOK 
and (e) is due to the fact that for a fixed m when n increases 5 n = \X\[\og(n + l)(N(n) + l)]/n < 
|^|[log(m + l)(N(m) + l)]/m = S m . 
Equation (|A12b proves that P n G rj l r , a (Q7v(^) ) Rn(ti))> thus completing the proof of the lemma. ■ 
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